PT-2018-3936 · Red Hat+1 · Glusterfs+1

Michael Hanselmann

Published

2018-11-01

Updated

2023-02-13

CVE-2018-14660

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions glusterfs versions 3.1.2 through 4.1.4

Description A flaw in the glusterfs server allows repeated usage of the GF META LOCK KEY xattr, enabling a remote, authenticated attacker to create multiple locks for a single inode by using setxattr repetitively. This results in memory exhaustion of the glusterfs server node. The issue is related to an uncontrolled consumption of resources, which can be exploited by a remote attacker to cause a denial of service.

Recommendations For versions 3.1.2 through 4.1.4, consider restricting the use of the setxattr function to prevent repetitive usage of the GF META LOCK KEY xattr until a patch is available. As a temporary workaround, limiting the number of locks that can be created for a single inode may help minimize the risk of memory exhaustion.

Fix

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

BDU:2023-05467

CVE-2018-14660

DLA-2806-1

RHSA-2018:3431

RHSA-2018:3432

RHSA-2018:3470

USN-4770-1

Affected Products

Ubuntu

Glusterfs

PT-2018-3936 · Red Hat+1 · Glusterfs+1

CVE-2018-14660

Weakness Enumeration

Related Identifiers

Affected Products

References · 75